2014-08-24 18:18:18 +01:00
<section xmlns= "http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-luks-file-systems">
2018-05-02 00:57:09 +01:00
<title > LUKS-Encrypted File Systems</title>
2014-08-24 18:18:18 +01:00
2018-05-02 00:57:09 +01:00
<para >
2019-09-19 18:17:30 +01:00
NixOS supports file systems that are encrypted using
<emphasis > LUKS</emphasis> (Linux Unified Key Setup). For example, here is how
you create an encrypted Ext4 file system on the device
<filename > /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename> :
2014-08-24 18:18:18 +01:00
<screen >
2020-09-22 23:38:47 +01:00
<prompt > # </prompt> cryptsetup luksFormat <replaceable > /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</replaceable>
2014-08-24 18:18:18 +01:00
WARNING!
========
2016-05-25 12:23:32 +01:00
This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.
2014-08-24 18:18:18 +01:00
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: ***
Verify passphrase: ***
2020-09-22 23:38:47 +01:00
<prompt > # </prompt> cryptsetup luksOpen <replaceable > /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</replaceable> <replaceable > crypted</replaceable>
2016-05-25 12:23:32 +01:00
Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
2014-08-24 18:18:18 +01:00
2020-09-22 23:38:47 +01:00
<prompt > # </prompt> mkfs.ext4 /dev/mapper/<replaceable > crypted</replaceable>
2014-08-24 18:18:18 +01:00
</screen>
2020-09-03 22:07:50 +01:00
The LUKS volume should be automatically picked up by
<command > nixos-generate-config</command> , but you might want to verify that your
<filename > hardware-configuration.nix</filename> looks correct.
To manually ensure that the system is automatically mounted at boot time as
2019-09-19 18:17:30 +01:00
<filename > /</filename> , add the following to
<filename > configuration.nix</filename> :
2014-08-24 18:18:18 +01:00
<programlisting >
2020-09-22 23:38:47 +01:00
<link linkend= "opt-boot.initrd.luks.devices._name_.device" > boot.initrd.luks.devices.crypted.device</link> = "<replaceable > /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</replaceable> ";
<xref linkend= "opt-fileSystems" /> ."/".device = "/dev/mapper/<replaceable > crypted</replaceable> ";
2014-08-24 18:18:18 +01:00
</programlisting>
2019-09-19 18:17:30 +01:00
Should grub be used as bootloader, and <filename > /boot</filename> is located
on an encrypted partition, it is necessary to add the following grub option:
2018-04-05 09:43:56 +01:00
<programlisting > <xref linkend= "opt-boot.loader.grub.enableCryptodisk" /> = true;</programlisting>
2018-05-02 00:57:09 +01:00
</para>
2020-01-16 13:36:35 +00:00
<section xml:id= "sec-luks-file-systems-fido2" >
<title > FIDO2</title>
<para >
NixOS also supports unlocking your LUKS-Encrypted file system using a FIDO2 compatible token. In the following example, we will create a new FIDO2 credential
and add it as a new key to our existing device <filename > /dev/sda2</filename> :
<screen >
2020-09-22 23:38:47 +01:00
<prompt > # </prompt> export FIDO2_LABEL="<replaceable > /dev/sda2</replaceable> @ $HOSTNAME"
<prompt > # </prompt> fido2luks credential "$FIDO2_LABEL"
2020-01-16 13:36:35 +00:00
f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
2020-09-22 23:38:47 +01:00
<prompt > # </prompt> fido2luks -i add-key <replaceable > /dev/sda2</replaceable> <replaceable > f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7</replaceable>
2020-01-16 13:36:35 +00:00
Password:
Password (again):
Old password:
Old password (again):
Added to key to device /dev/sda2, slot: 2
</screen>
To ensure that this file system is decrypted using the FIDO2 compatible key, add the following to <filename > configuration.nix</filename> :
<programlisting >
<link linkend= "opt-boot.initrd.luks.fido2Support" > boot.initrd.luks.fido2Support</link> = true;
2020-09-22 23:38:47 +01:00
<link linkend= "opt-boot.initrd.luks.devices._name_.fido2.credential" > boot.initrd.luks.devices."<replaceable > /dev/sda2</replaceable> ".fido2.credential</link> = "<replaceable > f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7</replaceable> ";
2020-01-16 13:36:35 +00:00
</programlisting>
You can also use the FIDO2 passwordless setup, but for security reasons, you might want to enable it only when your device is PIN protected, such as <link xlink:href= "https://trezor.io/" > Trezor</link> .
<programlisting >
2020-09-22 23:38:47 +01:00
<link linkend= "opt-boot.initrd.luks.devices._name_.fido2.passwordLess" > boot.initrd.luks.devices."<replaceable > /dev/sda2</replaceable> ".fido2.passwordLess</link> = true;
2020-01-16 13:36:35 +00:00
</programlisting>
</para>
</section>
2014-08-24 18:18:18 +01:00
</section>